up:: The New Standards MOC

Post-Quantum Cryptography (PQC)

Post-quantum cryptography (PQC) is cryptography built on math problems believed to be hard even for a quantum computer, so it keeps protecting data against both the classical computers of today and the quantum computers of tomorrow. The part that surprises most people is that it runs as ordinary software on the computers and networks you already have. There’s no quantum hardware to buy. NIST defines it as “cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.”

Source: NIST IR 8105, “Report on Post-Quantum Cryptography,” April 2016, csrc.nist.gov.

The short version:

  • PQC is math-based cryptography whose security rests on problems believed hard for quantum computers too, and it runs as software on existing computers and networks.
  • That’s the practical line between PQC and QKD: QKD needs special optical hardware and dedicated links, while PQC is a software swap on the internet you already run.
  • It rests on several different math families, mainly lattice, plus code-based and hash-based, so a break in one kind of math doesn’t take down the whole transition.
  • NIST standardized the first three algorithms in August 2024: ML-KEM for key establishment, and ML-DSA and SLH-DSA for signatures.
  • “Post-quantum” means believed secure against the quantum attacks we know about, which is a weaker claim than proven unbreakable, and that gap is exactly why crypto-agility matters.

Think of PQC as swapping the lock on your front door for one built around a puzzle even a quantum burglar can’t pick, while keeping the same door, the same frame, and the same key you already carry in your pocket. The door stays where it is, the house doesn’t change, and the person walking through barely notices. What changed is the one piece an attacker was going to target, the lock itself, replaced with math that holds up against a machine the old lock never anticipated.

What is post-quantum cryptography?

Post-quantum cryptography is the family of public-key algorithms whose security rests on mathematical problems that stay hard even when the attacker owns a large quantum computer. The public-key cryptography the internet runs on today, RSA, Diffie-Hellman, and elliptic-curve cryptography, all rest on two problems that a quantum computer running Shor’s algorithm solves efficiently: integer factorization and the discrete logarithm problem. PQC replaces those algorithms with new ones built on different math, chosen precisely because no efficient quantum attack against them is known.

The word “post-quantum” describes the threat it defends against, a future quantum adversary, and says nothing about how the algorithm itself is built. Every standardized PQC algorithm is classical software. It executes on the same CPUs, in the same TLS libraries, over the same TCP/IP, as the cryptography it replaces. Two other names get used for the same idea: quantum-resistant (NIST’s own alternate term) and quantum-safe (common in industry). They point at the same thing, math-based cryptography that survives a quantum computer.

Source: NIST IR 8105, “Report on Post-Quantum Cryptography,” April 2016, csrc.nist.gov.

Does PQC run on my existing computers and networks?

Yes, and this is the single most important thing to understand about it. PQC is a set of algorithms that run in software on the classical hardware you already own. Adopting it means updating cryptographic libraries, certificates, and protocol configurations, the same category of work as any other cryptographic upgrade, at software scale. NIST built the requirement to “interoperate with existing communications protocols and networks” into the definition of the field, so the standardized algorithms drop into TLS, IPsec, SSH, and PKI rather than demanding a parallel network.

That’s the practical reason PQC, and not any quantum-native technology, is the mainstream answer to the quantum threat. It reaches every routed network, the public internet, and many-to-many communication, all the places a physical-layer approach like QKD structurally can’t go. The migration is large because cryptography is buried in so many systems, and every piece of it is a software and configuration change, with no new physics on the wire.

Source: NIST IR 8105, “Report on Post-Quantum Cryptography,” April 2016, csrc.nist.gov.

Why do we need post-quantum cryptography?

A sufficiently large quantum computer running Shor’s algorithm breaks the public-key cryptography that secures nearly all digital communication. That single capability collapses the two jobs public-key crypto does: key establishment (agreeing on a shared secret) and digital signatures (proving identity and integrity). Symmetric cryptography holds up far better, since Grover’s algorithm only halves the effective strength of a symmetric key, so AES-256 stays comfortably safe. The exposure is concentrated in the public-key layer, and that’s exactly the layer PQC replaces.

The urgency isn’t only about the day the quantum computer arrives. Harvest now, decrypt later means an adversary can record encrypted traffic today and decrypt it years later once the machine exists. Any data whose secrecy has to outlast the migration is at risk the moment it’s collected, so for long-lived confidential data the clock is already running. That’s why the standards bodies treat the transition as present-tense work rather than a problem to schedule for the day the hardware appears.

How is PQC different from quantum cryptography or QKD?

They solve overlapping problems by opposite means, and the market blurs them constantly. Post-quantum cryptography is math-based software that runs on ordinary networks. Quantum key distribution is a hardware technology that uses the physics of measurement to share a key over a dedicated optical link, so any eavesdropper is detectable. PQC is the substrate the major Western security agencies recommend for the transition; QKD is a specialized tool with real physical limits. The full treatment of the quantum-native side lives in quantum-native security.

Post-quantum cryptography (PQC)QKD
Security basisMath problems believed hard even for a quantum computerLaws of physics (measuring a quantum state disturbs it)
FormSoftware algorithms on existing hardwareSpecial optical hardware plus dedicated fiber or line-of-sight
What it doesKey establishment and digital signaturesKey agreement only
ReachAny routed network, the public internet, many-to-manyPoint-to-point, roughly 100 to a few hundred km per link
AuthenticationProvides it directly (ML-DSA, SLH-DSA)None on its own; needs a separate classical or PQC layer
StandardizationFinalized NIST standards (ML-KEM, ML-DSA, SLH-DSA)Protocols not under a settled assurance standard
Agency stanceThe recommended path for the transitionNiche; not recommended for general or high-assurance use

Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)”; NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.

The clean way to hold it: PQC secures the traffic; QKD, where it fits at all, secures one narrow key-agreement step on a physical link you control end to end. For general-purpose enterprise, cloud, and internet systems, PQC carries the migration and QKD can’t even operate.

What hard problems is PQC based on?

Every post-quantum algorithm rests on a math problem for which no efficient quantum attack is known, and NIST deliberately drew from more than one kind of problem so that a break in one family doesn’t collapse the whole transition. NIST IR 8105 surveyed the main candidate families in 2016, and the standardized algorithms come from the lattice, code-based, and hash-based lines.

FamilyThe hard problem it rests onWhere it shows up
Lattice-basedFinding short vectors in a high-dimensional lattice (Module-LWE, NTRU)ML-KEM, ML-DSA (the main line)
Code-basedDecoding a random linear error-correcting code (syndrome decoding)HQC, Classic McEliece (the backup)
Hash-basedThe collision and preimage resistance of a hash functionSLH-DSA (the conservative hedge)
MultivariateSolving systems of multivariate quadratic equationsStudied in NIST IR 8105; none finalized
Isogeny-basedFinding isogenies between elliptic curvesFlagship scheme broken in 2022, see below

Source: NIST IR 8105, “Report on Post-Quantum Cryptography,” April 2016, csrc.nist.gov.

The reason for the spread is a hard-won lesson. Lattice cryptography is the efficient, well-studied main line, and it carries the two workhorse standards. Code-based cryptography rests on a decades-old, independently studied assumption, which is why NIST added HQC as a backup KEM on different math. Hash-based signatures rely on nothing but the strength of a hash function, the most conservative assumption of all, which is why SLH-DSA is the hedge for the small set of long-lived, high-assurance keys. Standardizing across families is insurance against any one of these problems turning out to be easier than believed.

What does PQC replace, and what stays the same?

PQC is a public-key story. It replaces the quantum-vulnerable public-key algorithms and leaves the symmetric world almost untouched, which narrows the migration far more than “quantum breaks encryption” suggests.

  1. Replace the key-establishment algorithms. RSA key transport, Diffie-Hellman, and ECDH move to ML-KEM, usually through a hybrid step that runs a classical algorithm and ML-KEM together. This half is urgent because it’s the part exposed to harvesting.
  2. Replace the signature algorithms. RSA and ECDSA signatures move to ML-DSA by default, with SLH-DSA for conservative long-lived keys. Signatures fail only once a quantum computer is real, so PKI and signing migrate on a slower, deliberate track.
  3. Keep the symmetric cryptography. AES-256 and the SHA-2 and SHA-3 hashes stay in place, because Grover’s algorithm only halves symmetric strength and a 256-bit key absorbs that comfortably.

The full standard-by-standard detail, parameter sets, sizes, how to choose among the three signature standards, lives in the new standards. The one-line map is that ML-KEM replaces key exchange, ML-DSA and SLH-DSA replace signatures, and symmetric crypto rides through with minor adjustment.

Is post-quantum cryptography proven safe?

No, and any vendor who implies otherwise is overselling. “Post-quantum” means believed secure against the quantum attacks we currently know, which is a genuinely different claim from mathematically proven unbreakable forever. These assumptions are younger than RSA’s, and cryptanalysis, classical or quantum, could still find a weakness. The field has a vivid reminder of this: isogeny-based cryptography looked like a promising, compact family until its leading scheme, SIDH/SIKE, was broken by an ordinary classical computer in 2022 and withdrawn.

Source: Castryck and Decru, “An Efficient Key Recovery Attack on SIDH,” IACR ePrint 2022/975, eprint.iacr.org.

The right response isn’t to wait for a certainty that will never arrive. It’s to migrate to the standardized algorithms now, which closes the known quantum exposure, and to build so that the next algorithm change is a configuration update rather than a rebuild. That property is crypto-agility, and it’s the architectural companion to every PQC choice, precisely because “believed secure” can change and the systems have to be able to move when it does.

Common misconceptions

  • “PQC needs a quantum computer to run.” It runs on ordinary classical hardware. The word “quantum” in “post-quantum” names the threat it defends against, not the machine it runs on.
  • “PQC is the same as QKD or quantum encryption.” They’re different categories. PQC is math-based software on existing networks; QKD is physics-based hardware on dedicated optical links.
  • “Quantum breaks all encryption, so PQC replaces everything.” It replaces the public-key layer. Symmetric encryption (AES-256) and hashes (SHA-2, SHA-3) survive with minor adjustment.
  • “Post-quantum means proven unbreakable.” It means believed secure against known quantum attacks. The isogeny break shows a family can look solid for years and still fall, which is why crypto-agility matters.
  • “There’s one post-quantum algorithm.” There are several, on purpose, across multiple math families, so a break in one kind of math doesn’t end the transition.
  • “We can wait until a quantum computer actually exists.” Harvest now, decrypt later means long-lived data is exposed the moment it’s collected, so the migration is present-tense work for anything that must stay secret for years.

Questions people ask

Do I need new hardware to use post-quantum cryptography? No. PQC is software. Adopting it means updating cryptographic libraries, certificates, and protocol configurations on the systems you already run, the same category of work as any cryptographic upgrade. The only technology that needs special quantum hardware is QKD, which is a separate, niche thing.

Is post-quantum cryptography the same as quantum encryption? No. “Quantum encryption” usually points at QKD, which uses physics and dedicated optics. Post-quantum cryptography is math-based software that runs on ordinary networks and is the mainstream answer the security agencies recommend.

Which post-quantum algorithm should I use? For key establishment, ML-KEM, usually as a hybrid with a classical algorithm. For signatures, ML-DSA by default, with SLH-DSA reserved for long-lived, high-assurance keys. The full selection guidance is in the new standards.

Does PQC replace AES and SHA? Barely. Keep AES-256 and the SHA-2 and SHA-3 hashes. Grover’s algorithm only halves symmetric strength, so a 256-bit key stays safe, and the transition is a public-key story.

Is post-quantum cryptography ready to deploy now? Yes for the finalized standards. NIST published ML-KEM, ML-DSA, and SLH-DSA as final Federal Information Processing Standards on August 13, 2024, and they’re implemented in mainstream cryptographic libraries. Most programs deploy ML-KEM first, in hybrid mode.

Source: NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.

Will a quantum computer break post-quantum cryptography too? No known quantum attack breaks the standardized PQC algorithms, which is why they were chosen. The honest caveat is that “believed secure against known attacks” is not a proof, so the discipline is to migrate now and stay able to swap algorithms if the picture changes.

Why are there multiple PQC algorithms instead of one? So that a break in one kind of math doesn’t collapse the whole transition. NIST standardized across lattice, code-based, and hash-based families deliberately, after watching the isogeny family’s flagship scheme fall in 2022.

What’s the difference between “post-quantum,” “quantum-safe,” and “quantum-resistant”? They name the same idea, math-based cryptography that withstands a quantum computer. “Quantum-resistant” is NIST’s alternate term, “quantum-safe” is the common industry phrasing, and “post-quantum” is the umbrella name for the field.


Everything here is the map, given freely. When your team needs post-quantum cryptography turned into a migration sequenced and quantified against your own systems, defensible to your own regulator, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.